Founded in 2009, Posteo is a respected secure email provider based in Germany. The service is very affordable, yet goes above and beyond to ensure the privacy of its users.
In addition to their strong encryption options, Posteo also supports the SMTP, POP, and IMAP protocols. This means you can use Posteo on any device, with any email client that supports these protocols.
- Mail, Calendar, Contacts, and Notes are encrypted at rest with OpenPGP on secure servers in Germany
- Subject, headers, body, metadata, and attachments are encrypted
- Includes Messages, Calendar, Contacts (Address Book), and Notes
- Completely Open Source
- Strong commitment to privacy, sustainable energy, and other social initiatives
- Self-financed; good track record (operating since 2009)
- Maximum privacy: no logs, IP address stripping, secure email storage with daily backups
- Allows anonymous (cash) payments
- Supports SMTP, POP, and IMAP protocol + Two-Factor Authentication
- Custom domains not supported; no “.com” options available
- No spam folder (spam emails are either rejected or delivered to regular inbox)
- Germany is a 14 Eyes country
- No trial or free version
- Cryptocurrency payments not supported
Today we’re going to take a good look at Posteo. Depending on your threat model and other needs, it could well be the secure email service you have been looking for.
Posteo features overview
More than just secure email, Posteo provides a suite of services. You get secure:
- Address Book (contacts)
- Secure Notes
Like Mailfence, Posteo aims to offer a fully-featured alternative to Gmail.
Interesting features of Posteo include:
- Reliance on a true “green energy” source from Greenpeace Energy.
- Their anonymized payment system, which separates your personal payment information from your account information.
- Easy integration with many email services and clients
- SMTP, POP, IMAP, CalDAV, CardDAV support
Posteo company information
Posteo is headquartered in Berlin, Germany, where it has been operating since 2009. The company prides itself on the fact that it’s entirely self-financed, with no loans, debts, or foreign investors.
Their services are anonymized to the maximum extent practical, in line with their company vision, which is,
…to provide an impetus for greater security, privacy and sustainability on the internet, and offer alternatives.
Thanks to their focus on this vision, their userbase exploded after the Snowden leaks in 2013. Since then, they have continued to push forward. In 2014, they became the first German company to publish a Transparency Report. They were also the first company in the world to implement DANE, DNS-Based Authentication of Named Entities (DANE).
On the sustainability front, Posteo relies on real “green energy” from Greenpeace Energy. They recycle paper and use energy-efficient hardware. They even manage their money in a sustainable way. See their Sustainability page for more information.
Posteo technical specifications
Posteo uses a range of encryption algorithms and techniques, some of which are user options. These include:
- TLS with Perfect Forward Secrecy (PFS)
- HTTP Strict Transport Security HSTS
- Optional Two-Factor Authentication (2FA) with TOTP support
- dm-crypt/LUKS encryption on the mail servers
- Optional on-server email encryption with RSA, AES, HMAC, and bcrypt hashing
- Optional inbound message encryption with S/MIME or OpenPGP
- SMTP, POP, IMAP
- CalDAV and CardDAV
Posteo also explains on their encryption page that they have undergone “an external, multi-level security audit” performed by Cure53. Cure53 is a reputable cybersecurity firm that also conducts VPN security audits, such as with the ExpressVPN browser extensions.
While Posteo provides a secure service, end-to-end encryption of your messages is not provided by default. They go to great lengths to protect your data, but as they put it,
In addition to our measures, you can also become active yourself – securing your emails’ content using personal end-to-end encryption.
To use end-to-end encryption, you need to install the Open Source app, Mailvelope. Instructions for enabling and using email encryption are here.
Posteo hands-on testing
For this Posteo review, I used the standard version without any extra storage or optional elements.
Signing up for Posteo
The experience of signing up for Posteo was somewhat different than that of other email services I’ve used. It was not difficult, just a bit confusing and unusual. See the Plans and Pricing section of this article for more details.
The look and feel of Posteo
Posteo has a pretty standard user interface. It is based on an Open Source email client called Roundcube, but has been modified to include the additional functionality that Posteo provides. In the following sections we’ll examine the interface and various elements
The email section of Posteo is pretty standard. It includes the options you are most likely to need displayed where you can easily find them. Assuming you are not using end-to-end encryption, creating, sending, and receiving messages is simple.
Here’s the basic layout of emails in the Posteo inbox:
Sending and receiving messages
Sending and receiving messages works as you would expect. However, you may have more options than normal, given all the customization and preferences. Here’s what the New Message window looks like, with HTML message formatting selected:
If you are going to send or receive an end-to-end encrypted message, things get a lot more complicated. For full instructions on using Mailvelope to encrypt/decrypt messages, visit the Mailvelope Help page.
If you are considering moving over to Posteo from another email service, you can take advantage of their migration service. This can bring over your email and the file structure from up to three other email services.
NOTE: For additional security, you can tell Posteo to encrypt your mailbox. However, if you do this, and subsequently lose your password, no one, not even Posteo Support, can recover your encrypted messages. Furthermore, you will no longer be able to retrieve mail on other email clients. Lastly, I’ve seen reports that encrypting your mailbox prevents the search function from working.
The Posteo Address Book has all the features you would expect in a modern email service. This includes the ability to store a photo and personal info about each contact, as well as synchronization and Group features.
Beyond that, Posteo can import your contacts from many other services. It can even encrypt your Address Book, such that not even Posteo can view your contacts. As with encrypting your mailbox, if you lose the encryption password, your contacts are lost beyond retrieval.
Pretty much everything I just told you about the Address Book applies to the Calendar as well. It has all the features you would expect. This includes the ability to import your data from other calendars, merge external calendar feeds into your calendar, share items, view it on other devices, and receive reminders.
As you might expect by now, you can also migrate calendar data from other services and encrypt your Posteo calendar. Finally, you have the same risk of losing everything if you misplace the password for the calendar.
The Posteo Notes section works a little differently than the other sections of Posteo. It gives you the basic functions you would expect.
Interestingly, Notes seems like a separate application that works with Posteo rather than being closely integrated into the product. For example, Notes will resize itself to fit whatever size screen it is on, unlike other sections of Posteo. In addition, if you activate the Additional Email Protection feature, Notes stops working.
Posteo offers a vast number of options you can use to tweak the service for your particular needs. To get to them, click the Settings icon in any Posteo window. This takes you to the My Account page:
As you can see, there are a ton of options you can select, far more than we could discuss here. Clicking the Preferences icon likewise gives you another huge set of things you can configure.
If you are looking for an email service that you can configure the way you want, Posteo could be that service.
No mobile and desktop apps
Posteo does not have any mobile or desktop apps. To work with the Posteo system you can use the browser interface on desktops, or a third-party email client on desktops or mobile devices.
While the browser interface may serve your needs on a full-sized desktop computer, you will definitely want to use a third-party app with mobile devices. That’s because, as of October, 2019, Posteo’s browser interface was not responsive or adaptive to smaller screens.
When using the browser interface on a mobile device, you can only see a part of the interface at a time, making it really annoying to try to use Posteo this way. Here is an example of what the browser interface looks like on a Samsung Galaxy S9+, a phone with a high-quality, hi-resolution display:
Not ideal for mobile users.
The Posteo Support team has a good reputation. The only drawback is that they do not have a support ticket system, nor any kind of live chat. They may need 24 hours or more to get back to you. This can leave you in limbo, wondering when someone will help or if anyone has seen your request.
One thing that particularly stands out about Posteo Support is their incredibly extensive and usable written documentation. The website itself is full of useful information designed to tell you everything you might want to know about Posteo before you send them any money.
The Help section also has a ton of how-to and troubleshooting information. If you ever run into problems with Posteo, I recommend taking a few minutes to search the site and the help system first. Chances are good you will find the answer to your question without having to send an email to Support.
Posteo pricing and plans
Posteo has a single pricing plan with a few options. The plan is very affordable, at one 1 Euro per month. However, there is no free trial offered and you must pay for a minimum of 12 months up front.
You do have the “Right of Revocation,” which works like a 14-day, no questions asked, money-back guarantee. Plus you can cancel at any time and get a prorated refund of any unused credit.
You can pay for your account by PayPal, credit card, bank transfer, and by sending physical cash in the mail.
When you sign up and enter your payment details, you get partial access to the service. Full access is granted once your payment is processed by the company.
I found the whole Posteo signup process to be somewhat clumsy and confusing. However, there is a good reason for this. Posteo supports completely anonymous registration and dissociates your payments from your account. If you pay with a credit card, PayPal, or some other digital method, they manually separate the payment information from the record of your account. This means that there is no personally identifiable information connected with your account:
We separate payment data and email accounts from each other. We thereby do not connect any personal information to the email accounts. This effectively prevents data theft and ensures the use of our email service in line with data reduction principles.
If you value privacy and security, this separation of personal data from your email account surely justifies some small inconvenience and delay at signup time.
Does Posteo keep logs?
In terms of respecting user privacy through minimal logging, Posteo does pretty well.
In conformity with the law, we strictly do not collect and save any IP addresses that could be traced back to customers.. This was independently confirmed in an audit report by the German Federal Commissioner for Data Protection. We also do not collect your IP address if you visit our website or if you use our contact form or webmailer. We also do not collect or save your IP address if you use an external client to retrieve your emails via IMAP or POP3 or to transmit messages via SMTP to be delivered by us. In the communication between email servers via SMTP, we come to know the IP addresses of other email servers (for example IP addresses from GMX and Gmail servers). The IP addresses of provider servers are only logged in the logfiles when errors occur and deleted after 7 days.
We exclusively record errors that occur when sending and receiving emails to quickly identify and correct technical disruptions and errors. We delete this data, which cannot be traced back to an individual, automatically after 7 days. In addition, we create generic, anonymised system usage and capacity statistics. These statistics also do not contain any personal information or IP addresses.
You can also see the Posteo Transparency Report, which discloses the data requests they’ve received and processed. Lastly, as we’ve noted before, if you are concerned about your IP address being logged, simply use a good VPN service to hide it.
Should you consider Posteo?
Okay. The question is, “Should you consider Posteo?” The answer is, “Probably.”
This is a company that really goes out of their way to provide a secure email service. They’ve been around for 10 years and have a solid reputation. The service is rich with features and offers a huge amount of options you can customize for your needs.
On the other hand, all that customizability makes it more complicated.
Do you want extra encryption on the email stored on their servers, or do you want to be able to work with your email on your phone?
Do you want to encrypt your contacts so that no one, not even Posteo can see them? Or perhaps you want Posteo Support to be able to recover them for you if you lose your password…
What I’m saying is that you will need to put some thought and effort into getting Posteo to work the way you want it. This is in contrast to other email providers that are maximum security by default – no customization necessary.
Which leads us to…
If Posteo isn’t the answer for you, which services should you investigate instead? Surely, one service to check out is ProtonMail.
ProtonMail has similar features to Posteo, including strong security, and end-to-end encryption, but without so many options. It also offers a way to send encrypted messages outside the system without the headaches of PGP.
Tutanota is another email service to consider. It too has similar features, with fewer setup hassles, along with default end-to-end encryption and the ability to send encrypted messages without all that PGP fun.
Lastly, Mailfence is another good option we’ve covered that is also feature-rich. However, it does not offer the same level of (high) security as Tutanota or ProtonMail.
Posteo review conclusion
Posteo is a very privacy and security-conscious product that will work well for many types of users.
It offers lots of scope for customization if you are willing to invest the time to customize the service to your liking. Posteo is also the most socially-conscious email service I’ve run into so far, if considerations like sustainable energy and finance are important to you.
You can learn more about Posteo on their website here.